docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon docker

Minimal changes to trust/trust_sandbox docs

Open IAL32 opened this issue 4 years ago β€’ 7 comments

Proposed changes

The current Docker Content Trust sandbox documentation "Play in a content trust sandbox" is WAY out of date.

There have been some PRs that address this problem, like PR#10078, but I felt like they were adding too much complexity to the system, or they were not working at all.

Here I propose a minimal amount of changes needed for the documentation to still be relevant, without any major changes to the page's content.

Related issues

Fixes #12192 Fixes #11539

Feedback is nevertheless much appreciated!

IAL32 avatar Nov 30 '21 19:11 IAL32

Deploy Preview for docsdocker ready!

Built without sensitive environment variables

Name Link
Latest commit b09d743bdec77abca8b32e5b0a47a346fbda6acf
Latest deploy log https://app.netlify.com/sites/docsdocker/deploys/6305ecbc25a99000095c3686
Deploy Preview https://deploy-preview-13912--docsdocker.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

netlify[bot] avatar Nov 30 '21 19:11 netlify[bot]

Thank you for this proposal, it was helpful for massaging the documented trust sandbox environment to a workable state. I have a couple points of feedback:

  1. It looks like bash isn't available in the later registry:2.7 images, probably need suggest the same sh in the exec against sandboxregistry as is done for trustsandbox. (ref: step 2 of Test with malicious images)
  2. I don't think we need the port publishes added, as the guide is designed to be conducted from within trustsandbox.

thirdgen88 avatar Jan 12 '22 20:01 thirdgen88

Thank you @thirdgen88 for the answer!

  1. It looks like bash isn't available in the later registry:2.7 images, probably need suggest the same sh in the exec against sandboxregistry as is done for trustsandbox. (ref: step 2 of Test with malicious images)
  2. I don't think we need the port publishes added, as the guide is designed to be conducted from within trustsandbox.

True! I will change these in a future commit. Thanks!

IAL32 avatar Jan 13 '22 16:01 IAL32

@thaJeztah Could you PTAL?

usha-mandya avatar Feb 11 '22 10:02 usha-mandya

Close and reopen the PR to trigger CI checks

usha-mandya avatar Feb 24 '22 14:02 usha-mandya

Any updates on the pr status?

IAL32 avatar Apr 24 '22 07:04 IAL32

@IAL32 Thank you ! You can also remove the port mapping for the server service (4443:4443)

matletix avatar Aug 14 '22 23:08 matletix

Also the following command (here)

docker container exec -it sandboxregistry bash

should be :

docker container exec -it sandboxregistry sh

matletix avatar Aug 23 '22 20:08 matletix

@matletix I have addressed these issues now πŸ˜„

IAL32 avatar Aug 24 '22 09:08 IAL32

Deploy Preview for docsdocker ready!

Name Link
Latest commit ff6e04a6cdd074f2676a350dfae03d2800d16b1d
Latest deploy log https://app.netlify.com/sites/docsdocker/deploys/638733bdd546a70009f79902
Deploy Preview https://deploy-preview-13912--docsdocker.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

netlify[bot] avatar Oct 20 '22 13:10 netlify[bot]

Looks like I started a review a long time ago, but never submitted (I may have been looking at the technical side of Notary); let me submit the review, but have a look if all comments (still) make sense πŸ˜…

thaJeztah avatar Oct 20 '22 14:10 thaJeztah

I have implemented many of the changes from @thaJeztah , thanks! I have also updated some of the outputs.

let me know! πŸ˜„

IAL32 avatar Oct 20 '22 15:10 IAL32

Thanks for the pull request. We'd like to make our product docs better, but haven’t been able to review all the suggestions. As our docs have also diverged, we do not have the bandwidth to review and rebase old pull requests.

If the updates are still relevant, review our contribution guidelines and rebase your pull request against the latest version of the docs, then mark it as fresh with a /remove-lifecycle stale comment. If not, this pull request will be closed in 30 days. This helps our maintainers focus on the active pull requests.

Prevent pull requests from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

docker-robott avatar Nov 26 '22 01:11 docker-robott

/remove-lifecycle stale

IAL32 avatar Nov 30 '22 10:11 IAL32

@thaJeztah could you PTAL?

usha-mandya avatar Nov 30 '22 11:11 usha-mandya

Any updates? Belated happy 1 year for my PR πŸ₯³ @thaJeztah @usha-mandya @glours

IAL32 avatar Dec 12 '22 21:12 IAL32

I guess the malicious image section could still be useful in some form or another, but it's mostly to illustrate that Docker verifies the content when pulling (if the content's digest doesn't match it would reject the image)

thaJeztah avatar Apr 10 '23 16:04 thaJeztah

Thanks for the pull request. We'd like to make our product docs better, but haven’t been able to review all the suggestions. As our docs have also diverged, we do not have the bandwidth to review and rebase old pull requests.

If the updates are still relevant, review our contribution guidelines and rebase your pull request against the latest version of the docs, then mark it as fresh with a /remove-lifecycle stale comment. If not, this pull request will be closed in 30 days. This helps our maintainers focus on the active pull requests.

Prevent pull requests from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

docker-robot[bot] avatar Jul 09 '23 01:07 docker-robot[bot]